[squid-users] Ipv6 error

Schroeffu info at schroeffu.ch
Wed Nov 7 20:54:08 UTC 2018 

I have had today experienced today exactly the same issue with Squid 4.4 for
this URL: https://bugs.squid-cache.org/index.cgi
(but not https://wiki.squid-cache.org/*, that one works)

Error Message from Squid:

/The following error was encountered while trying to retrieve the URL:
https://bugs.squid-cache.org/*
Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.
The system returned: (101) Network is unreachable/

It is not only IPv6 related issue. It happens to me when denying any request
via proxy without authentification like this:

/acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users all/

You will see in the access log Squid is trying to hit
http://cert.int-x3.letsencrypt.org/ directly with 407 (not authenticated), i
am so confused, why is it doing that and why is it not authenticating?

1541623232.530      0 - *TCP_DENIED/407 3619 GET
http://cert.int-x3.letsencrypt.org/* - HIER_NONE/- text/html;charset=utf-8
1541623232.530    245 172.16.5.15 NONE/200 0 CONNECT
bugs.squid-cache.org:443 xxxx
HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed -
1541623232.546      0 172.16.5.15 NONE/503 4940 GET
https://bugs.squid-cache.org/favicon.ico xxxx HIER_NONE/- text/html

So i added another acl on top in squid.conf  to whitelist  *.letsencrypt.org
without authentification and bam, the website
https://bugs.squid-cache.org/index.cgi is opening now:

/acl white_regexp url_regex -i
"/etc/squid/domains_whitelist_regex_without_authentification.acl"
http_access allow white_regexp/

Content: 
\.letsencrypt\.org

I think somebody should track this, it is so weird! Why it happens on
https://bugs.squid-cache.org/index.cgi and how is that letsencrypt related?
I have no problems with any other letsencrypt secured domains and also not
on any site providing ipv4/ipv6 at the same time (Google/Facebook). But yes,
also my Proxy can *not*speech ipv6, if that is something related with
letsencrypt?
more specs:
- ssl bump active
- icapcan active
- ntlm and basic auth active
- dns_v4_first on/off doen't matter/doesnt change anything.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list